refactor(doubao_new): security improvement

xrgzs · xrgzs · commit 436bb726b32b · 2026-03-23T17:02:08.000+08:00
Signed-off-by: MadDogOwner &lt;xiaoran@xrgzs.top&gt;
diff --git a/drivers/doubao_new/auth.go b/drivers/doubao_new/auth.go
@@ -79,8 +79,6 @@ type dpopKeyPairEnvelope struct {
 	JWK        *jwkECPrivateKey `json:"jwk"`
 }
 
-const defaultDPoPKeySecret = "passport-dpop-token-generator"
-
 type encryptedDpopKeyPair struct {
 	Data       string `json:"data"`
 	Ciphertext string `json:"ciphertext"`
@@ -162,6 +160,14 @@ func GenerateDPoPToken(in DPoPTokenInput) (*DPoPTokenOutput, error) {
 	}, nil
 }
 
+func GenerateDPoPKeyPair() (*ecdsa.PrivateKey, error) {
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+	return validateP256Key(key)
+}
+
 func ParseJWTPayload(token string, out any) error {
 	token = strings.TrimSpace(trimTokenScheme(token))
 	parts := strings.Split(token, ".")
@@ -234,7 +240,7 @@ func parseECPrivateKeyJWK(raw string) (*ecdsa.PrivateKey, error) {
 	return validateP256Key(key)
 }
 
-func parseEncryptedDPoPKeyPair(raw string) (*ecdsa.PrivateKey, error) {
+func parseEncryptedDPoPKeyPair(raw, secret string) (*ecdsa.PrivateKey, error) {
 	raw = strings.TrimSpace(raw)
 	if raw == "" {
 		return nil, errors.New("empty encrypted key pair")
@@ -266,9 +272,9 @@ func parseEncryptedDPoPKeyPair(raw string) (*ecdsa.PrivateKey, error) {
 		return nil, errors.New("encrypted dpop payload too short")
 	}
 
-	plain, err := decryptDoubaoKeyPair(decoded, defaultDPoPKeySecret)
+	plain, err := decryptDoubaoKeyPair(decoded, secret)
 	if err != nil {
-		return nil, fmt.Errorf("failed to decrypt with default secret: %w", err)
+		return nil, fmt.Errorf("failed to decrypt with secret: %w", err)
 	}
 	return parseECPrivateKeyJWK(string(plain))
 }
@@ -381,7 +387,7 @@ func (d *DoubaoNew) resolveAuthorization() string {
 	return "DPoP " + auth
 }
 
-func shouldRefreshJWT(token string, aheadSeconds int64) bool {
+func shouldRefreshJWT(token string) bool {
 	if token == "" {
 		return true
 	}
@@ -392,24 +398,30 @@ func shouldRefreshJWT(token string, aheadSeconds int64) bool {
 	if payload.Exp <= 0 {
 		return false
 	}
-	return payload.Exp <= time.Now().Unix()+aheadSeconds
+	return payload.Exp <= time.Now().Unix()+defaultAuthRefreshAheadSeconds
 }
 
-func (d *DoubaoNew) fetchBizAuth(dpop string) (string, error) {
+func (d *DoubaoNew) fetchBizAuth(dpop string, public bool) (string, error) {
+	var reqUrl string
 	client := base.RestyClient.Clone()
 	req := client.R()
 	req.SetHeader("accept", "application/json, text/javascript")
 	req.SetHeader("origin", DoubaoURL)
 	req.SetHeader("referer", DoubaoURL+"/")
 	req.SetHeader("content-type", "application/x-www-form-urlencoded")
-	if d.Cookie != "" {
-		req.SetHeader("cookie", d.Cookie)
-		if csrf := strings.TrimSpace(cookie.GetStr(d.Cookie, "passport_csrf_token")); csrf != "" {
-			req.SetHeader("x-tt-passport-csrf-token", csrf)
+	if public {
+		reqUrl = DoubaoURL + "/passport/anonymity_user/biz_auth/"
+	} else {
+		reqUrl = DoubaoURL + "/passport/user/biz_auth/"
+		if d.Cookie != "" {
+			req.SetHeader("cookie", d.Cookie)
+			if csrf := strings.TrimSpace(cookie.GetStr(d.Cookie, "passport_csrf_token")); csrf != "" {
+				req.SetHeader("x-tt-passport-csrf-token", csrf)
+			}
+		}
+		if oldAuth := d.resolveAuthorization(); oldAuth != "" {
+			req.SetHeader("authorization", oldAuth)
 		}
-	}
-	if oldAuth := d.resolveAuthorization(); oldAuth != "" {
-		req.SetHeader("authorization", oldAuth)
 	}
 	if dpop != "" {
 		req.SetHeader("dpop", dpop)
@@ -424,23 +436,22 @@ func (d *DoubaoNew) fetchBizAuth(dpop string) (string, error) {
 	req.SetQueryParam("account_sdk_source", d.AuthSDKSource)
 	req.SetQueryParam("sdk_version", d.AuthSDKVersion)
 
-	res, err := req.Post(DoubaoURL + "/passport/user/biz_auth/")
+	res, err := req.Post(reqUrl)
 	if err != nil {
 		return "", err
 	}
 	var resp bizAuthResp
 	if err = json.Unmarshal(res.Body(), &resp); err != nil {
 		return "", err
 	}
-	ok := resp.Message != "success" && strings.TrimSpace(resp.Data.AccessToken) != ""
-	if !ok {
+	if resp.Message != "success" || resp.Data.AccessToken == "" {
 		return "", fmt.Errorf("[doubao_new] %s: %s", resp.Message, resp.Data.Description)
 	}
-	return strings.TrimSpace(resp.Data.AccessToken), nil
+	return resp.Data.AccessToken, nil
 }
 
 func (d *DoubaoNew) refreshAuthorizationWithDPoP(dpop string) (string, error) {
-	token, err := d.fetchBizAuth(dpop)
+	token, err := d.fetchBizAuth(dpop, false)
 	if err == nil && token != "" {
 		return token, nil
 	}
@@ -451,9 +462,9 @@ func (d *DoubaoNew) refreshAuthorizationWithDPoP(dpop string) (string, error) {
 }
 
 func (d *DoubaoNew) resolveDpopForRequest(method, rawURL string) (string, error) {
-	if d.DpopKeyPair != nil {
+	if d.DPoPKeyPair != nil {
 		proof, err := GenerateDPoPToken(DPoPTokenInput{
-			KeyPair: d.DpopKeyPair,
+			KeyPair: d.DPoPKeyPair,
 			HTM:     strings.ToUpper(strings.TrimSpace(method)),
 			HTU:     normalizeDPoPURL(rawURL),
 		})
@@ -463,37 +474,39 @@ func (d *DoubaoNew) resolveDpopForRequest(method, rawURL string) (string, error)
 		return proof.DPoPToken, nil
 	}
 
-	static := d.Dpop
+	static := d.DPoP
 	if static == "" {
 		return "", nil
 	}
-	if payload, err := parseDPoPPayload(static); err == nil && payload.Exp > 0 {
-		now := time.Now().Unix()
-		if payload.Exp <= now+defaultDpopRefreshAheadSeconds {
-			return "", errors.New("static dpop token expired or near expiry; configure dpop_key_pair for automatic refresh")
+	if !d.IgnoreJWTCheck {
+		if payload, err := parseDPoPPayload(static); err == nil && payload.Exp > 0 {
+			now := time.Now().Unix()
+			if payload.Exp <= now+defaultDpopRefreshAheadSeconds {
+				return "", errors.New("static dpop token expired or near expiry; configure dpop_key_pair for automatic refresh")
+			}
 		}
 	}
 	return static, nil
 }
 
+func (d *DoubaoNew) ensureAuthAdditons() bool {
+	return d.DPoPKeySecret != "" && d.AuthClientID != "" && d.AuthClientType != "" &&
+		d.AuthScope != "" && d.AuthSDKSource != "" && d.AuthSDKVersion != ""
+}
+
 func (d *DoubaoNew) resolveAuthorizationForRequest(method, rawURL string) (string, error) {
-	if !shouldRefreshJWT(d.Authorization, defaultAuthRefreshAheadSeconds) {
+	if !shouldRefreshJWT(d.Authorization) {
 		return d.resolveAuthorization(), nil
 	}
-	// 刷新 Authorization Token 的前置条件：
-	// 1. DPoP 密钥对
-	// 2. Cookie
-	// 3. AuthClientID、AuthClientType、AuthScope、AuthSDKSource、AuthSDKVersion
-	if d.DpopKeyPair == nil || strings.TrimSpace(d.Cookie) == "" ||
-		d.AuthClientID == "" || d.AuthClientType == "" || d.AuthScope == "" ||
-		d.AuthSDKSource == "" || d.AuthSDKVersion == "" {
+
+	if d.DPoPKeyPair == nil || strings.TrimSpace(d.Cookie) == "" || !d.ensureAuthAdditons() {
 		return d.resolveAuthorization(), nil
 	}
 
 	d.authRefreshMu.Lock()
 	defer d.authRefreshMu.Unlock()
 
-	if !shouldRefreshJWT(d.Authorization, defaultAuthRefreshAheadSeconds) {
+	if !shouldRefreshJWT(d.Authorization) {
 		return d.resolveAuthorization(), nil
 	}
 
@@ -513,6 +526,41 @@ func (d *DoubaoNew) resolveAuthorizationForRequest(method, rawURL string) (strin
 	return d.resolveAuthorization(), nil
 }
 
+func (d *DoubaoNew) resolveAuthorizationForPublic() (dpop string, auth string, err error) {
+	if d.DPoPPublic != "" && !shouldRefreshJWT(d.AuthorizationPublic) {
+		return d.DPoPPublic, "DPoP " + d.AuthorizationPublic, nil
+	}
+
+	if !d.ensureAuthAdditons() {
+		return "", "", fmt.Errorf("[doubao_new] missing auth additions, please fill them all")
+	}
+
+	d.authRefreshPublicMu.Lock()
+	defer d.authRefreshPublicMu.Unlock()
+
+	if d.DPoPPublic != "" && !shouldRefreshJWT(d.AuthorizationPublic) {
+		return d.DPoPPublic, "DPoP " + d.AuthorizationPublic, nil
+	}
+
+	// generate new public dpop
+	keypair, err := GenerateDPoPKeyPair()
+	if err != nil {
+		return "", "", err
+	}
+	proof, err := GenerateDPoPToken(DPoPTokenInput{
+		KeyPair: keypair,
+	})
+	d.DPoPPublic = proof.DPoPToken
+
+	// get authorization token
+	d.AuthorizationPublic, err = d.fetchBizAuth(proof.DPoPToken, true)
+	if err != nil {
+		return "", "", err
+	}
+
+	return d.DPoPPublic, "DPoP " + d.AuthorizationPublic, nil
+}
+
 func (d *DoubaoNew) applyAuthHeaders(req *resty.Request, method, rawURL string) error {
 	auth, err := d.resolveAuthorizationForRequest(method, rawURL)
 	if err != nil {
diff --git a/drivers/doubao_new/driver.go b/drivers/doubao_new/driver.go
@@ -31,15 +31,18 @@ type DoubaoNew struct {
 	Addition
 	TtLogid string
 
-	// DPoP access token (Authorization header value)
-	Authorization string
+	// DPoP access token (Authorization header value, without DPoP prefix)
+	Authorization       string
+	AuthorizationPublic string
 	// DPoP header value
-	Dpop string
+	DPoP       string
+	DPoPPublic string
 	// DPoP key pair for generating DPoP
-	DpopKeyPairStr string
-	DpopKeyPair    *ecdsa.PrivateKey
+	DPoPKeyPairStr string
+	DPoPKeyPair    *ecdsa.PrivateKey
 
-	authRefreshMu sync.Mutex
+	authRefreshMu       sync.Mutex
+	authRefreshPublicMu sync.Mutex
 }
 
 func (d *DoubaoNew) Config() driver.Config {
@@ -59,12 +62,12 @@ func (d *DoubaoNew) Init(ctx context.Context) error {
 		}
 		dpop := strings.TrimSpace(cookie.GetStr(d.Cookie, "LARK_SUITE_DPOP"))
 		if dpop != "" {
-			d.Dpop = dpop
+			d.DPoP = dpop
 		}
 		keypair := strings.TrimSpace(cookie.GetStr(d.Cookie, "feishu_dpop_keypair"))
-		if keypair != "" {
-			d.DpopKeyPairStr = keypair
-			d.DpopKeyPair, _ = parseEncryptedDPoPKeyPair(keypair)
+		if keypair != "" && d.DPoPKeySecret != "" {
+			d.DPoPKeyPairStr = keypair
+			d.DPoPKeyPair, _ = parseEncryptedDPoPKeyPair(keypair, d.DPoPKeySecret)
 		}
 	}
 	return nil
@@ -74,11 +77,11 @@ func (d *DoubaoNew) Drop(ctx context.Context) error {
 	if d.Authorization != "" {
 		d.Cookie = cookie.SetStr(d.Cookie, "LARK_SUITE_ACCESS_TOKEN", d.Authorization)
 	}
-	if d.Dpop != "" {
-		d.Cookie = cookie.SetStr(d.Cookie, "LARK_SUITE_DPOP", d.Dpop)
+	if d.DPoP != "" {
+		d.Cookie = cookie.SetStr(d.Cookie, "LARK_SUITE_DPOP", d.DPoP)
 	}
-	if d.DpopKeyPairStr != "" {
-		d.Cookie = cookie.SetStr(d.Cookie, "feishu_dpop_keypair", d.DpopKeyPairStr)
+	if d.DPoPKeyPairStr != "" {
+		d.Cookie = cookie.SetStr(d.Cookie, "feishu_dpop_keypair", d.DPoPKeyPairStr)
 	}
 	op.MustSaveDriverStorage(d)
 	return nil
@@ -131,13 +134,26 @@ func (d *DoubaoNew) Link(ctx context.Context, file model.Obj, args model.LinkArg
 	if obj.IsFolder {
 		return nil, fmt.Errorf("link is directory")
 	}
-	if args.Type == "preview" || args.Type == "thumb" {
-		if link, err := d.previewLink(ctx, obj, args); err == nil {
-			return link, nil
+	var (
+		err        error
+		auth, dpop string
+	)
+	if d.ShareLink {
+		err := d.createShare(ctx, obj)
+		if err != nil {
+			return nil, err
+		}
+		dpop, auth, err = d.resolveAuthorizationForPublic()
+	} else {
+		// TODO: append previewLink() with auth args to support ShareLink
+		if args.Type == "preview" || args.Type == "thumb" {
+			if link, err := d.previewLink(ctx, obj, args); err == nil {
+				return link, nil
+			}
 		}
+		auth = d.resolveAuthorization()
+		dpop, err = d.resolveDpopForRequest(http.MethodGet, DownloadBaseURL+"/space/api/box/stream/download/all/"+obj.ObjToken+"/")
 	}
-	auth := d.resolveAuthorization()
-	dpop, err := d.resolveDpopForRequest(http.MethodGet, DownloadBaseURL+"/space/api/box/stream/download/all/"+obj.ObjToken+"/")
 	if err != nil {
 		return nil, err
 	}
diff --git a/drivers/doubao_new/meta.go b/drivers/doubao_new/meta.go
@@ -11,11 +11,14 @@ type Addition struct {
 	// define other
 	Cookie         string `json:"cookie" required:"true" help:"Web Cookie"`
 	AppID          string `json:"app_id" required:"true" default:"497858" help:"Doubao App ID"`
+	DPoPKeySecret  string `json:"dpop_key_secret" help:"DPoP Key Secret for generating DPoP token"`
 	AuthClientID   string `json:"auth_client_id" help:"Doubao Biz Auth Client ID"`
 	AuthClientType string `json:"auth_client_type" help:"Doubao Biz Auth Client Type"`
 	AuthScope      string `json:"auth_scope" help:"Doubao Biz Auth Scope"`
 	AuthSDKSource  string `json:"auth_sdk_source" help:"Doubao Biz Auth SDK Source"`
 	AuthSDKVersion string `json:"auth_sdk_version" help:"Doubao Biz Auth SDK Version"`
+	ShareLink      bool   `json:"share_link" help:"Whether to use share link for download"`
+	IgnoreJWTCheck bool   `json:"ignore_jwt_check" help:"Whether to ignore JWT check to prevent time issue"`
 }
 
 var config = driver.Config{
diff --git a/drivers/doubao_new/util.go b/drivers/doubao_new/util.go
@@ -267,6 +267,43 @@ func (d *DoubaoNew) previewLink(ctx context.Context, obj *Object, args model.Lin
 	}, nil
 }
 
+func (d *DoubaoNew) createShare(ctx context.Context, obj *Object) error {
+	doRequest := func(csrfToken string) (*resty.Response, []byte, error) {
+		req := base.RestyClient.R()
+		req.SetContext(ctx)
+		req.SetHeader("accept", "application/json, text/plain, */*")
+		req.SetHeader("origin", DoubaoURL)
+		req.SetHeader("referer", DoubaoURL+"/")
+		if err := d.applyAuthHeaders(req, http.MethodPost, BaseURL+"/space/api/suite/permission/public/update.v5/"); err != nil {
+			return nil, nil, err
+		}
+		if csrfToken != "" {
+			req.SetHeader("x-csrftoken", csrfToken)
+		}
+		req.SetHeader("Content-Type", "application/json")
+		req.SetBody(base.Json{
+			"external_access_entity": 1,
+			"link_share_entity":      4,
+			"token":                  obj.ObjToken,
+			"type":                   obj.ObjType,
+		})
+		res, err := req.Execute(http.MethodPost, BaseURL+"/space/api/suite/permission/public/update.v5/")
+		if err != nil {
+			return nil, nil, err
+		}
+		return res, res.Body(), nil
+	}
+
+	res, body, err := doRequestWithCsrf(doRequest)
+	if err != nil {
+		return err
+	}
+	if err := decodeBaseResp(body, res); err != nil {
+		return err
+	}
+	return nil
+}
+
 func (d *DoubaoNew) createFolder(ctx context.Context, parentToken, name string) (Node, error) {
 	data := url.Values{}
 	data.Set("name", name)
